Body
Overview
Purpose:
Generic accounts are required for certain types of access to equipment and systems from time-to-time. This Policy and Procedure provides guidelines for issuing, securing, and deleting generic accounts. This policy and procedure defines how generic accounts are to be created, maintained, audited and removed.
Applicability:
This policy applies to all generic accounts setup and maintained to support R-MC computer and business requirements. This policy applies to generic accounts that are used to log in locally and remain logged on for specific functions.
Roles and Responsibilities:
ITS Systems Administrators
IT systems administrators are responsible for setting up generic accounts and managing them according to standards defined in this policy and procedure. All generic accounts must be sponsored and/or owned by a specific individual who is responsible for securing the account with Duo/Microsoft MFA or a complex password. The individual requesting the account must be recorded along with their position/title/name).
Systems Administrators are responsible for reviewing the generic account sponsors request to make a determination as to whether or not there is a valid justification to create a generic account.
Generic Account Auditor
The Generic Account Auditor is responsible for periodically reviewing generic accounts and verifying that they are eligible to remain active and meet the criteria to remain active in accordance with the definition of a generic account purpose or workload.
Generic Account Sponsor
The account sponsor is responsible for requesting and securing the generic account according to the policy and procedure. The sponsor is responsible for providing a justification for why a generic account is being created and it must be for a valid business reason. Because the sponsor does not want to log in with their own account is not a valid reason. There are business cases for generic accounts.
Policy:
Generic accounts are maintained to perform specific functions as required by users, guests, and others who are not able to or have assigned to perform the required activity. Examples, include accounts used by guest lecturers in event spaces, impersonating a role or activity to verify systems are working accurately, when a shared mailbox will not meet specific requirements, and other miscellaneous business needs.
Generic accounts may only be used for processes where a user or guests assigned RMC user name and password cannot be used to perform the required task/assignment. For example, logging on a Kiosk that displays a presentation continuously in public space or forum. The generic account should never be used for anything other than it's assigned purpose. The purpose of requesting and using a generic account must be included when requested.
In order to prevent unauthorized use of generic accounts periodic audits will be conducted and accounts removed when they are no longer needed or used. The policy is to review generic accounts quarterly (90 days) to determine if they being used in accordance with this policy and procedure.
Any accounts no longer used will or meeting the criteria to be considered a generic account will be disabled for 180 days. If there are not incidents or issues caused by disabling the account after 180 days the account will be deleted.
Generic accounts must be protected with two factor authentication or a complex password. If a complex password is used it must be at least 20 characters in length and meet the following criteria or complexity requirements:
Duo MFA is the preferred method to secure generic accounts as it allows for the assignment of multiple phones for verification purposes. Microsoft MFA may be used in the event the access is limited to assets and data stored in Microsoft 365.
All generic accounts must be stored and kept up to-date according to the terms of this policy and overall password and account security policies.
Procedure:
The account sponsor will submit a request for a generic account. They must include the name, position, and department/office as the sponsor for this account. The Sponsor will include a business justification as to why the generic account is required. It must be for a reason that meets the requirements for using a generic account.
If the request meets the requirements; then the ITS Systems Administrators will create the account and communicate with the sponsor to setup the account with MFA and an appropriate password. This creation will follow our standard account creation process and limitations related to setting up MFA or securing the account appropriately.
If the request is not approved; then the ITS Systems Administrator will notify the requestor/sponsor that their request cannot be fulfilled using a generic account. The ITS Systems Administrator will provide suggestions that will help the sponsor achieve their goals, but without a generic account. Recommend a shared mailbox is one example.
Every 90 days the generic account auditor will review a list of any accounts designated as generic accounts for specific purposes. The accounts will be reviewed by their last account login/access session, sponsor, and last machine where the account was used.
Any accounts that have not been used (actively/logged in as a account) will be identified in an audit report. The audit report will be shared with the sponsor for the generic account and they may respond that the account is or is not needed any longer. In the event the sponsor for the account does not respond or reply the generic account will be disabled according to this policy and procedure.
After performing the audit of generic accounts a report will be uploaded as a spreadsheet to the ITS Team SharePoint Site document library to document the results and outcomes of the audit. An appointment will be scheduled with the Infrastructure Team site to review the report for accounts that have been disabled for more than 180 days.
If the disabled accounts are not used or reactivated after 180 days; then they will be deleted. The original list of accounts will be updated to identify any generic accounts deleted after 180 days.